rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

* Thu Jul 09 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-135

Browse Source 
- Update mta_filetrans_named_content() interface to cover more db files.
- Revert "Remove ftpd_use_passive_mode boolean. It does not make sense due to ephemeral port handling."
- Allow pcp domains to connect to own process using unix_stream_socket.
- Typo in abrt.te
- Allow  abrt-upload-watch service to dbus chat with ABRT daemon and fsetid capability to allow run reporter-upload correctly.
- Add nagios_domtrans_unconfined_plugins() interface.
- Add nagios_domtrans_unconfined_plugins() interface.
- Add new boolean - httpd_run_ipa to allow httpd process to run IPA helper and dbus chat with oddjob.
- Add support for oddjob based helper in FreeIPA. BZ(1238165)
- Allow dnssec_trigger_t create dnssec_trigger_tmp_t files in /var/tmp/ BZ(1240840)
- Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. BZ(1224879)
- Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission.
- Add cron_system_cronjob_use_shares boolean to allow system cronjob to be executed from shares - NFS, CIFS, FUSE. It requires "entrypoint" permissios on nfs_t, cifs_t and fusefs_t SELinux types.
- nrpe needs kill capability to make gluster moniterd nodes working.
- Revert "Dontaudit ctbd_t sending signull to smbd_t."
- Fix interface corenet_tcp_connect_postgresql_port_port(prosody_t)
- Allow prosody connect to postgresql port.
- Fix logging_syslogd_run_nagios_plugins calling in logging.te
- Add logging_syslogd_run_nagios_plugins boolean for rsyslog to allow transition to nagios unconfined plugins.
- Add support for oddjob based helper in FreeIPA. BZ(1238165)
- Add new interfaces
- Add fs_fusefs_entry_type() interface.
This commit is contained in:
Lukas Vrabec 2015-07-09 10:31:45 +02:00
parent d04212cd26
commit f53ebea7af
3 changed files with 406 additions and 226 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

208
policy-rawhide-base.patch
View File

@ -35708,10 +35708,10 @@ index 4e94884..7ab6191 100644
+ filetrans_pattern($1, syslogd_var_run_t, $2, $3, $4) + filetrans_pattern($1, syslogd_var_run_t, $2, $3, $4)
+') +')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 59b04c1..aaf4124 100644 index 59b04c1..0bdf67e 100644
--- a/policy/modules/system/logging.te --- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.20.1) @@ -4,6 +4,29 @@ policy_module(logging, 1.20.1)
# #
# Declarations # Declarations
# #
@ -35730,10 +35730,18 @@ index 59b04c1..aaf4124 100644
+## </p> +## </p>
+## </desc> +## </desc>
+gen_tunable(logging_syslogd_use_tty, true) +gen_tunable(logging_syslogd_use_tty, true)
+
+## <desc>
+## <p>
+## Allow syslogd the ability to call nagios plugins. It is
+## turned on by omprog rsyslog plugin.
+## </p>
+## </desc>
+gen_tunable(logging_syslogd_run_nagios_plugins, false)
attribute logfile; attribute logfile;
@@ -20,6 +35,7 @@ files_security_file(auditd_log_t) @@ -20,6 +43,7 @@ files_security_file(auditd_log_t)
files_security_mountpoint(auditd_log_t) files_security_mountpoint(auditd_log_t)
type audit_spool_t; type audit_spool_t;
@ -35741,7 +35749,7 @@ index 59b04c1..aaf4124 100644
files_security_file(audit_spool_t) files_security_file(audit_spool_t)
files_security_mountpoint(audit_spool_t) files_security_mountpoint(audit_spool_t)
@@ -33,6 +49,9 @@ init_script_file(auditd_initrc_exec_t) @@ -33,6 +57,9 @@ init_script_file(auditd_initrc_exec_t)
type auditd_var_run_t; type auditd_var_run_t;
files_pid_file(auditd_var_run_t) files_pid_file(auditd_var_run_t)
@ -35751,7 +35759,7 @@ index 59b04c1..aaf4124 100644
type audisp_t; type audisp_t;
type audisp_exec_t; type audisp_exec_t;
init_system_domain(audisp_t, audisp_exec_t) init_system_domain(audisp_t, audisp_exec_t)
@@ -64,6 +83,7 @@ files_config_file(syslog_conf_t) @@ -64,6 +91,7 @@ files_config_file(syslog_conf_t)
type syslogd_t; type syslogd_t;
type syslogd_exec_t; type syslogd_exec_t;
init_daemon_domain(syslogd_t, syslogd_exec_t) init_daemon_domain(syslogd_t, syslogd_exec_t)
@ -35759,7 +35767,7 @@ index 59b04c1..aaf4124 100644
type syslogd_initrc_exec_t; type syslogd_initrc_exec_t;
init_script_file(syslogd_initrc_exec_t) init_script_file(syslogd_initrc_exec_t)
@@ -71,11 +91,15 @@ init_script_file(syslogd_initrc_exec_t) @@ -71,11 +99,15 @@ init_script_file(syslogd_initrc_exec_t)
type syslogd_tmp_t; type syslogd_tmp_t;
files_tmp_file(syslogd_tmp_t) files_tmp_file(syslogd_tmp_t)
@ -35775,7 +35783,7 @@ index 59b04c1..aaf4124 100644
type var_log_t; type var_log_t;
logging_log_file(var_log_t) logging_log_file(var_log_t)
@@ -94,6 +118,8 @@ ifdef(`enable_mls',` @@ -94,6 +126,8 @@ ifdef(`enable_mls',`
allow auditctl_t self:capability { fsetid dac_read_search dac_override }; allow auditctl_t self:capability { fsetid dac_read_search dac_override };
allow auditctl_t self:netlink_audit_socket nlmsg_readpriv; allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
@ -35784,7 +35792,7 @@ index 59b04c1..aaf4124 100644
read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t) read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
allow auditctl_t auditd_etc_t:dir list_dir_perms; allow auditctl_t auditd_etc_t:dir list_dir_perms;
@@ -111,7 +137,9 @@ domain_use_interactive_fds(auditctl_t) @@ -111,7 +145,9 @@ domain_use_interactive_fds(auditctl_t)
mls_file_read_all_levels(auditctl_t) mls_file_read_all_levels(auditctl_t)
@ -35795,7 +35803,7 @@ index 59b04c1..aaf4124 100644
init_dontaudit_use_fds(auditctl_t) init_dontaudit_use_fds(auditctl_t)
@@ -136,9 +164,10 @@ allow auditd_t self:tcp_socket create_stream_socket_perms; @@ -136,9 +172,10 @@ allow auditd_t self:tcp_socket create_stream_socket_perms;
allow auditd_t auditd_etc_t:dir list_dir_perms; allow auditd_t auditd_etc_t:dir list_dir_perms;
allow auditd_t auditd_etc_t:file read_file_perms; allow auditd_t auditd_etc_t:file read_file_perms;
@ -35807,7 +35815,7 @@ index 59b04c1..aaf4124 100644
manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
@@ -148,6 +177,7 @@ kernel_read_kernel_sysctls(auditd_t) @@ -148,6 +185,7 @@ kernel_read_kernel_sysctls(auditd_t)
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf # Needs to be able to run dispatcher. see /etc/audit/auditd.conf
# Probably want a transition, and a new auditd_helper app # Probably want a transition, and a new auditd_helper app
kernel_read_system_state(auditd_t) kernel_read_system_state(auditd_t)
@ -35815,7 +35823,7 @@ index 59b04c1..aaf4124 100644
dev_read_sysfs(auditd_t) dev_read_sysfs(auditd_t)
@@ -155,9 +185,6 @@ fs_getattr_all_fs(auditd_t) @@ -155,9 +193,6 @@ fs_getattr_all_fs(auditd_t)
fs_search_auto_mountpoints(auditd_t) fs_search_auto_mountpoints(auditd_t)
fs_rw_anon_inodefs_files(auditd_t) fs_rw_anon_inodefs_files(auditd_t)
@ -35825,7 +35833,7 @@ index 59b04c1..aaf4124 100644
corenet_all_recvfrom_netlabel(auditd_t) corenet_all_recvfrom_netlabel(auditd_t)
corenet_tcp_sendrecv_generic_if(auditd_t) corenet_tcp_sendrecv_generic_if(auditd_t)
corenet_tcp_sendrecv_generic_node(auditd_t) corenet_tcp_sendrecv_generic_node(auditd_t)
@@ -183,16 +210,17 @@ logging_send_syslog_msg(auditd_t) @@ -183,16 +218,17 @@ logging_send_syslog_msg(auditd_t)
logging_domtrans_dispatcher(auditd_t) logging_domtrans_dispatcher(auditd_t)
logging_signal_dispatcher(auditd_t) logging_signal_dispatcher(auditd_t)
@ -35847,7 +35855,7 @@ index 59b04c1..aaf4124 100644
userdom_dontaudit_use_unpriv_user_fds(auditd_t) userdom_dontaudit_use_unpriv_user_fds(auditd_t)
userdom_dontaudit_search_user_home_dirs(auditd_t) userdom_dontaudit_search_user_home_dirs(auditd_t)
@@ -237,19 +265,29 @@ corecmd_exec_shell(audisp_t) @@ -237,19 +273,29 @@ corecmd_exec_shell(audisp_t)
domain_use_interactive_fds(audisp_t) domain_use_interactive_fds(audisp_t)
@ -35879,7 +35887,7 @@ index 59b04c1..aaf4124 100644
') ')
######################################## ########################################
@@ -268,7 +306,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file }) @@ -268,7 +314,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
corecmd_exec_bin(audisp_remote_t) corecmd_exec_bin(audisp_remote_t)
@ -35887,7 +35895,7 @@ index 59b04c1..aaf4124 100644
corenet_all_recvfrom_netlabel(audisp_remote_t) corenet_all_recvfrom_netlabel(audisp_remote_t)
corenet_tcp_sendrecv_generic_if(audisp_remote_t) corenet_tcp_sendrecv_generic_if(audisp_remote_t)
corenet_tcp_sendrecv_generic_node(audisp_remote_t) corenet_tcp_sendrecv_generic_node(audisp_remote_t)
@@ -280,10 +317,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) @@ -280,10 +325,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
files_read_etc_files(audisp_remote_t) files_read_etc_files(audisp_remote_t)
@ -35907,7 +35915,7 @@ index 59b04c1..aaf4124 100644
sysnet_dns_name_resolve(audisp_remote_t) sysnet_dns_name_resolve(audisp_remote_t)
@@ -326,7 +371,6 @@ files_read_etc_files(klogd_t) @@ -326,7 +379,6 @@ files_read_etc_files(klogd_t)
logging_send_syslog_msg(klogd_t) logging_send_syslog_msg(klogd_t)
@ -35915,7 +35923,7 @@ index 59b04c1..aaf4124 100644
mls_file_read_all_levels(klogd_t) mls_file_read_all_levels(klogd_t)
@@ -355,13 +399,12 @@ optional_policy(` @@ -355,13 +407,12 @@ optional_policy(`
# sys_admin for the integrated klog of syslog-ng and metalog # sys_admin for the integrated klog of syslog-ng and metalog
# sys_nice for rsyslog # sys_nice for rsyslog
# cjp: why net_admin! # cjp: why net_admin!
@ -35932,7 +35940,7 @@ index 59b04c1..aaf4124 100644
# receive messages to be logged # receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
@@ -369,11 +412,15 @@ allow syslogd_t self:unix_dgram_socket sendto; @@ -369,11 +420,15 @@ allow syslogd_t self:unix_dgram_socket sendto;
allow syslogd_t self:fifo_file rw_fifo_file_perms; allow syslogd_t self:fifo_file rw_fifo_file_perms;
allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms;
@ -35949,7 +35957,7 @@ index 59b04c1..aaf4124 100644
files_pid_filetrans(syslogd_t, devlog_t, sock_file) files_pid_filetrans(syslogd_t, devlog_t, sock_file)
# create/append log files. # create/append log files.
@@ -389,30 +436,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) @@ -389,30 +444,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@ -36000,7 +36008,7 @@ index 59b04c1..aaf4124 100644
# syslog-ng can listen and connect on tcp port 514 (rsh) # syslog-ng can listen and connect on tcp port 514 (rsh)
corenet_tcp_sendrecv_generic_if(syslogd_t) corenet_tcp_sendrecv_generic_if(syslogd_t)
corenet_tcp_sendrecv_generic_node(syslogd_t) corenet_tcp_sendrecv_generic_node(syslogd_t)
@@ -422,6 +486,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) @@ -422,6 +494,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
corenet_tcp_connect_rsh_port(syslogd_t) corenet_tcp_connect_rsh_port(syslogd_t)
# Allow users to define additional syslog ports to connect to # Allow users to define additional syslog ports to connect to
corenet_tcp_bind_syslogd_port(syslogd_t) corenet_tcp_bind_syslogd_port(syslogd_t)
@ -36009,7 +36017,7 @@ index 59b04c1..aaf4124 100644
corenet_tcp_connect_syslogd_port(syslogd_t) corenet_tcp_connect_syslogd_port(syslogd_t)
corenet_tcp_connect_postgresql_port(syslogd_t) corenet_tcp_connect_postgresql_port(syslogd_t)
corenet_tcp_connect_mysqld_port(syslogd_t) corenet_tcp_connect_mysqld_port(syslogd_t)
@@ -432,9 +498,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) @@ -432,9 +506,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t)
@ -36022,6 +36030,12 @@ index 59b04c1..aaf4124 100644
+ # support for ommail module to send logs via mail + # support for ommail module to send logs via mail
+ corenet_tcp_connect_smtp_port(syslogd_t) + corenet_tcp_connect_smtp_port(syslogd_t)
+') +')
+
+optional_policy(`
+ tunable_policy(`logging_syslogd_run_nagios_plugins',`
+ nagios_domtrans_unconfined_plugins(syslogd_t)
+ ')
+')
+ +
dev_filetrans(syslogd_t, devlog_t, sock_file) dev_filetrans(syslogd_t, devlog_t, sock_file)
dev_read_sysfs(syslogd_t) dev_read_sysfs(syslogd_t)
@ -36037,7 +36051,7 @@ index 59b04c1..aaf4124 100644
domain_use_interactive_fds(syslogd_t) domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t) files_read_etc_files(syslogd_t)
@@ -448,13 +531,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) @@ -448,13 +545,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
fs_getattr_all_fs(syslogd_t) fs_getattr_all_fs(syslogd_t)
fs_search_auto_mountpoints(syslogd_t) fs_search_auto_mountpoints(syslogd_t)
@ -36055,7 +36069,7 @@ index 59b04c1..aaf4124 100644
# for sending messages to logged in users # for sending messages to logged in users
init_read_utmp(syslogd_t) init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t)
@@ -466,11 +553,12 @@ init_use_fds(syslogd_t) @@ -466,11 +567,12 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense # cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t) logging_send_syslog_msg(syslogd_t)
@ -36071,7 +36085,7 @@ index 59b04c1..aaf4124 100644
ifdef(`distro_gentoo',` ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel # default gentoo syslog-ng config appends kernel
@@ -497,6 +585,7 @@ optional_policy(` @@ -497,6 +599,7 @@ optional_policy(`
optional_policy(` optional_policy(`
cron_manage_log_files(syslogd_t) cron_manage_log_files(syslogd_t)
cron_generic_log_filetrans_log(syslogd_t, file, "cron.log") cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
@ -36079,7 +36093,7 @@ index 59b04c1..aaf4124 100644
') ')
optional_policy(` optional_policy(`
@@ -507,15 +596,40 @@ optional_policy(` @@ -507,15 +610,40 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -36120,7 +36134,7 @@ index 59b04c1..aaf4124 100644
') ')
optional_policy(` optional_policy(`
@@ -526,3 +640,26 @@ optional_policy(` @@ -526,3 +654,26 @@ optional_policy(`
# log to the xconsole # log to the xconsole
xserver_rw_console(syslogd_t) xserver_rw_console(syslogd_t)
') ')
@ -44854,7 +44868,7 @@ index db75976..c54480a 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+ +
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 9dc60c6..769ce74 100644 index 9dc60c6..a24e48e 100644
--- a/policy/modules/system/userdomain.if --- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -45855,7 +45869,7 @@ index 9dc60c6..769ce74 100644
userdom_change_password_template($1) userdom_change_password_template($1)
@@ -761,83 +1007,107 @@ template(`userdom_login_user_template', ` @@ -761,82 +1007,109 @@ template(`userdom_login_user_template', `
# #
# User domain Local policy # User domain Local policy
# #
@ -45990,16 +46004,18 @@ index 9dc60c6..769ce74 100644
+ oddjob_run_mkhomedir($1_t, $1_r) + oddjob_run_mkhomedir($1_t, $1_r)
') ')
+ optional_policy(`
+ ipa_run_helper($1_t, $1_r)
+ ')
+
optional_policy(` optional_policy(`
- rpm_read_db($1_t) - rpm_read_db($1_t)
- rpm_dontaudit_manage_db($1_t) - rpm_dontaudit_manage_db($1_t)
+ wine_filetrans_named_content($1_usertype) + wine_filetrans_named_content($1_usertype)
') ')
+
') ')
####################################### @@ -868,6 +1141,12 @@ template(`userdom_restricted_user_template',`
@@ -868,6 +1138,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain; typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t) domain_interactive_fd($1_t)
@ -46012,7 +46028,7 @@ index 9dc60c6..769ce74 100644
############################## ##############################
# #
# Local policy # Local policy
@@ -907,53 +1183,137 @@ template(`userdom_restricted_xwindows_user_template',` @@ -907,53 +1186,137 @@ template(`userdom_restricted_xwindows_user_template',`
# #
# Local policy # Local policy
# #
@ -46168,7 +46184,7 @@ index 9dc60c6..769ce74 100644
') ')
####################################### #######################################
@@ -987,27 +1347,33 @@ template(`userdom_unpriv_user_template', ` @@ -987,27 +1350,33 @@ template(`userdom_unpriv_user_template', `
# #
# Inherit rules for ordinary users. # Inherit rules for ordinary users.
@ -46206,7 +46222,7 @@ index 9dc60c6..769ce74 100644
fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t) fs_manage_noxattr_fs_dirs($1_t)
# Write floppies # Write floppies
@@ -1018,23 +1384,63 @@ template(`userdom_unpriv_user_template', ` @@ -1018,23 +1387,63 @@ template(`userdom_unpriv_user_template', `
') ')
') ')
@ -46280,7 +46296,7 @@ index 9dc60c6..769ce74 100644
') ')
# Run pppd in pppd_t by default for user # Run pppd in pppd_t by default for user
@@ -1043,7 +1449,9 @@ template(`userdom_unpriv_user_template', ` @@ -1043,7 +1452,9 @@ template(`userdom_unpriv_user_template', `
') ')
optional_policy(` optional_policy(`
@ -46291,7 +46307,7 @@ index 9dc60c6..769ce74 100644
') ')
') ')
@@ -1079,7 +1487,9 @@ template(`userdom_unpriv_user_template', ` @@ -1079,7 +1490,9 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',` template(`userdom_admin_user_template',`
gen_require(` gen_require(`
attribute admindomain; attribute admindomain;
@ -46302,7 +46318,7 @@ index 9dc60c6..769ce74 100644
') ')
############################## ##############################
@@ -1095,6 +1505,7 @@ template(`userdom_admin_user_template',` @@ -1095,6 +1508,7 @@ template(`userdom_admin_user_template',`
role system_r types $1_t; role system_r types $1_t;
typeattribute $1_t admindomain; typeattribute $1_t admindomain;
@ -46310,7 +46326,7 @@ index 9dc60c6..769ce74 100644
ifdef(`direct_sysadm_daemon',` ifdef(`direct_sysadm_daemon',`
domain_system_change_exemption($1_t) domain_system_change_exemption($1_t)
@@ -1105,14 +1516,8 @@ template(`userdom_admin_user_template',` @@ -1105,14 +1519,8 @@ template(`userdom_admin_user_template',`
# $1_t local policy # $1_t local policy
# #
@ -46327,7 +46343,7 @@ index 9dc60c6..769ce74 100644
kernel_read_software_raid_state($1_t) kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t) kernel_getattr_core_if($1_t)
@@ -1128,6 +1533,7 @@ template(`userdom_admin_user_template',` @@ -1128,6 +1536,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t) kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t) kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t) kernel_sigchld_unlabeled($1_t)
@ -46335,7 +46351,7 @@ index 9dc60c6..769ce74 100644
corenet_tcp_bind_generic_port($1_t) corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels # allow setting up tunnels
@@ -1145,10 +1551,15 @@ template(`userdom_admin_user_template',` @@ -1145,10 +1554,15 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t) dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t) dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t) dev_create_generic_symlinks($1_t)
@ -46351,7 +46367,7 @@ index 9dc60c6..769ce74 100644
domain_dontaudit_ptrace_all_domains($1_t) domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains: # signal all domains:
domain_kill_all_domains($1_t) domain_kill_all_domains($1_t)
@@ -1159,29 +1570,40 @@ template(`userdom_admin_user_template',` @@ -1159,29 +1573,40 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t) domain_sigchld_all_domains($1_t)
# for lsof # for lsof
domain_getattr_all_sockets($1_t) domain_getattr_all_sockets($1_t)
@ -46396,7 +46412,7 @@ index 9dc60c6..769ce74 100644
# The following rule is temporary until such time that a complete # The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator # policy management infrastructure is in place so that an administrator
@@ -1191,6 +1613,8 @@ template(`userdom_admin_user_template',` @@ -1191,6 +1616,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file. # But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t) seutil_manage_bin_policy($1_t)
@ -46405,7 +46421,7 @@ index 9dc60c6..769ce74 100644
userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t) userdom_manage_user_home_content_symlinks($1_t)
@@ -1198,13 +1622,21 @@ template(`userdom_admin_user_template',` @@ -1198,13 +1625,21 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t) userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@ -46428,7 +46444,7 @@ index 9dc60c6..769ce74 100644
optional_policy(` optional_policy(`
postgresql_unconfined($1_t) postgresql_unconfined($1_t)
') ')
@@ -1240,7 +1672,7 @@ template(`userdom_admin_user_template',` @@ -1240,7 +1675,7 @@ template(`userdom_admin_user_template',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -46437,7 +46453,7 @@ index 9dc60c6..769ce74 100644
allow $1 self:capability { dac_read_search dac_override }; allow $1 self:capability { dac_read_search dac_override };
corecmd_exec_shell($1) corecmd_exec_shell($1)
@@ -1250,6 +1682,8 @@ template(`userdom_security_admin_template',` @@ -1250,6 +1685,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1) dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1) files_create_boot_flag($1)
@ -46446,7 +46462,7 @@ index 9dc60c6..769ce74 100644
# Necessary for managing /boot/efi # Necessary for managing /boot/efi
fs_manage_dos_files($1) fs_manage_dos_files($1)
@@ -1262,8 +1696,10 @@ template(`userdom_security_admin_template',` @@ -1262,8 +1699,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1) selinux_set_enforce_mode($1)
selinux_set_all_booleans($1) selinux_set_all_booleans($1)
selinux_set_parameters($1) selinux_set_parameters($1)
@ -46458,7 +46474,7 @@ index 9dc60c6..769ce74 100644
auth_relabel_shadow($1) auth_relabel_shadow($1)
init_exec($1) init_exec($1)
@@ -1274,29 +1710,31 @@ template(`userdom_security_admin_template',` @@ -1274,29 +1713,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1) logging_read_audit_config($1)
seutil_manage_bin_policy($1) seutil_manage_bin_policy($1)
@ -46501,7 +46517,7 @@ index 9dc60c6..769ce74 100644
') ')
optional_policy(` optional_policy(`
@@ -1357,14 +1795,17 @@ interface(`userdom_user_home_content',` @@ -1357,14 +1798,17 @@ interface(`userdom_user_home_content',`
gen_require(` gen_require(`
attribute user_home_content_type; attribute user_home_content_type;
type user_home_t; type user_home_t;
@ -46520,7 +46536,7 @@ index 9dc60c6..769ce74 100644
') ')
######################################## ########################################
@@ -1397,12 +1838,51 @@ interface(`userdom_user_tmp_file',` @@ -1397,12 +1841,51 @@ interface(`userdom_user_tmp_file',`
## </param> ## </param>
# #
interface(`userdom_user_tmpfs_file',` interface(`userdom_user_tmpfs_file',`
@ -46573,7 +46589,7 @@ index 9dc60c6..769ce74 100644
## Allow domain to attach to TUN devices created by administrative users. ## Allow domain to attach to TUN devices created by administrative users.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -1509,11 +1989,31 @@ interface(`userdom_search_user_home_dirs',` @@ -1509,11 +1992,31 @@ interface(`userdom_search_user_home_dirs',`
') ')
allow $1 user_home_dir_t:dir search_dir_perms; allow $1 user_home_dir_t:dir search_dir_perms;
@ -46605,7 +46621,7 @@ index 9dc60c6..769ce74 100644
## Do not audit attempts to search user home directories. ## Do not audit attempts to search user home directories.
## </summary> ## </summary>
## <desc> ## <desc>
@@ -1555,6 +2055,14 @@ interface(`userdom_list_user_home_dirs',` @@ -1555,6 +2058,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms; allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1) files_search_home($1)
@ -46620,7 +46636,7 @@ index 9dc60c6..769ce74 100644
') ')
######################################## ########################################
@@ -1570,9 +2078,11 @@ interface(`userdom_list_user_home_dirs',` @@ -1570,9 +2081,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(` gen_require(`
type user_home_dir_t; type user_home_dir_t;
@ -46632,7 +46648,7 @@ index 9dc60c6..769ce74 100644
') ')
######################################## ########################################
@@ -1613,6 +2123,24 @@ interface(`userdom_manage_user_home_dirs',` @@ -1613,6 +2126,24 @@ interface(`userdom_manage_user_home_dirs',`
######################################## ########################################
## <summary> ## <summary>
@ -46657,7 +46673,7 @@ index 9dc60c6..769ce74 100644
## Relabel to user home directories. ## Relabel to user home directories.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -1631,6 +2159,59 @@ interface(`userdom_relabelto_user_home_dirs',` @@ -1631,6 +2162,59 @@ interface(`userdom_relabelto_user_home_dirs',`
######################################## ########################################
## <summary> ## <summary>
@ -46717,7 +46733,7 @@ index 9dc60c6..769ce74 100644
## Create directories in the home dir root with ## Create directories in the home dir root with
## the user home directory type. ## the user home directory type.
## </summary> ## </summary>
@@ -1704,10 +2285,12 @@ interface(`userdom_user_home_domtrans',` @@ -1704,10 +2288,12 @@ interface(`userdom_user_home_domtrans',`
# #
interface(`userdom_dontaudit_search_user_home_content',` interface(`userdom_dontaudit_search_user_home_content',`
gen_require(` gen_require(`
@ -46732,7 +46748,7 @@ index 9dc60c6..769ce74 100644
') ')
######################################## ########################################
@@ -1741,10 +2324,12 @@ interface(`userdom_list_all_user_home_content',` @@ -1741,10 +2327,12 @@ interface(`userdom_list_all_user_home_content',`
# #
interface(`userdom_list_user_home_content',` interface(`userdom_list_user_home_content',`
gen_require(` gen_require(`
@ -46747,7 +46763,7 @@ index 9dc60c6..769ce74 100644
') ')
######################################## ########################################
@@ -1769,7 +2354,7 @@ interface(`userdom_manage_user_home_content_dirs',` @@ -1769,7 +2357,7 @@ interface(`userdom_manage_user_home_content_dirs',`
######################################## ########################################
## <summary> ## <summary>
@ -46756,7 +46772,7 @@ index 9dc60c6..769ce74 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -1777,19 +2362,17 @@ interface(`userdom_manage_user_home_content_dirs',` @@ -1777,19 +2365,17 @@ interface(`userdom_manage_user_home_content_dirs',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -46780,7 +46796,7 @@ index 9dc60c6..769ce74 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -1797,55 +2380,55 @@ interface(`userdom_delete_all_user_home_content_dirs',` @@ -1797,55 +2383,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -46851,7 +46867,7 @@ index 9dc60c6..769ce74 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -1853,18 +2436,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` @@ -1853,18 +2439,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -46879,7 +46895,7 @@ index 9dc60c6..769ce74 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -1872,17 +2456,151 @@ interface(`userdom_mmap_user_home_content_files',` @@ -1872,17 +2459,151 @@ interface(`userdom_mmap_user_home_content_files',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -47035,7 +47051,7 @@ index 9dc60c6..769ce74 100644
## Do not audit attempts to read user home files. ## Do not audit attempts to read user home files.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -1893,11 +2611,14 @@ interface(`userdom_read_user_home_content_files',` @@ -1893,11 +2614,14 @@ interface(`userdom_read_user_home_content_files',`
# #
interface(`userdom_dontaudit_read_user_home_content_files',` interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(` gen_require(`
@ -47053,7 +47069,7 @@ index 9dc60c6..769ce74 100644
') ')
######################################## ########################################
@@ -1938,7 +2659,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` @@ -1938,7 +2662,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
######################################## ########################################
## <summary> ## <summary>
@ -47062,7 +47078,7 @@ index 9dc60c6..769ce74 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -1946,10 +2667,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` @@ -1946,10 +2670,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -47075,7 +47091,7 @@ index 9dc60c6..769ce74 100644
') ')
userdom_search_user_home_content($1) userdom_search_user_home_content($1)
@@ -1958,7 +2678,7 @@ interface(`userdom_delete_all_user_home_content_files',` @@ -1958,7 +2681,7 @@ interface(`userdom_delete_all_user_home_content_files',`
######################################## ########################################
## <summary> ## <summary>
@ -47084,7 +47100,7 @@ index 9dc60c6..769ce74 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -1966,12 +2686,66 @@ interface(`userdom_delete_all_user_home_content_files',` @@ -1966,12 +2689,66 @@ interface(`userdom_delete_all_user_home_content_files',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -47153,7 +47169,7 @@ index 9dc60c6..769ce74 100644
') ')
######################################## ########################################
@@ -2007,8 +2781,7 @@ interface(`userdom_read_user_home_content_symlinks',` @@ -2007,8 +2784,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t; type user_home_dir_t, user_home_t;
') ')
@ -47163,7 +47179,7 @@ index 9dc60c6..769ce74 100644
') ')
######################################## ########################################
@@ -2024,20 +2797,14 @@ interface(`userdom_read_user_home_content_symlinks',` @@ -2024,20 +2800,14 @@ interface(`userdom_read_user_home_content_symlinks',`
# #
interface(`userdom_exec_user_home_content_files',` interface(`userdom_exec_user_home_content_files',`
gen_require(` gen_require(`
@ -47188,7 +47204,7 @@ index 9dc60c6..769ce74 100644
######################################## ########################################
## <summary> ## <summary>
@@ -2120,7 +2887,7 @@ interface(`userdom_manage_user_home_content_symlinks',` @@ -2120,7 +2890,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
######################################## ########################################
## <summary> ## <summary>
@ -47197,7 +47213,7 @@ index 9dc60c6..769ce74 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -2128,19 +2895,17 @@ interface(`userdom_manage_user_home_content_symlinks',` @@ -2128,19 +2898,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -47221,7 +47237,7 @@ index 9dc60c6..769ce74 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -2148,12 +2913,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` @@ -2148,12 +2916,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -47237,7 +47253,7 @@ index 9dc60c6..769ce74 100644
') ')
######################################## ########################################
@@ -2388,18 +3153,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` @@ -2388,18 +3156,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -47295,7 +47311,7 @@ index 9dc60c6..769ce74 100644
## Do not audit attempts to read users ## Do not audit attempts to read users
## temporary files. ## temporary files.
## </summary> ## </summary>
@@ -2414,7 +3215,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` @@ -2414,7 +3218,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t; type user_tmp_t;
') ')
@ -47304,7 +47320,7 @@ index 9dc60c6..769ce74 100644
') ')
######################################## ########################################
@@ -2455,6 +3256,25 @@ interface(`userdom_rw_user_tmp_files',` @@ -2455,6 +3259,25 @@ interface(`userdom_rw_user_tmp_files',`
rw_files_pattern($1, user_tmp_t, user_tmp_t) rw_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1) files_search_tmp($1)
') ')
@ -47330,7 +47346,7 @@ index 9dc60c6..769ce74 100644
######################################## ########################################
## <summary> ## <summary>
@@ -2538,7 +3358,7 @@ interface(`userdom_manage_user_tmp_files',` @@ -2538,7 +3361,7 @@ interface(`userdom_manage_user_tmp_files',`
######################################## ########################################
## <summary> ## <summary>
## Create, read, write, and delete user ## Create, read, write, and delete user
@ -47339,7 +47355,7 @@ index 9dc60c6..769ce74 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -2546,19 +3366,19 @@ interface(`userdom_manage_user_tmp_files',` @@ -2546,19 +3369,19 @@ interface(`userdom_manage_user_tmp_files',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -47362,7 +47378,7 @@ index 9dc60c6..769ce74 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -2566,19 +3386,19 @@ interface(`userdom_manage_user_tmp_symlinks',` @@ -2566,19 +3389,19 @@ interface(`userdom_manage_user_tmp_symlinks',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -47385,7 +47401,7 @@ index 9dc60c6..769ce74 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -2586,19 +3406,60 @@ interface(`userdom_manage_user_tmp_pipes',` @@ -2586,19 +3409,60 @@ interface(`userdom_manage_user_tmp_pipes',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -47450,7 +47466,7 @@ index 9dc60c6..769ce74 100644
## a specified private type. ## a specified private type.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -2661,6 +3522,21 @@ interface(`userdom_tmp_filetrans_user_tmp',` @@ -2661,6 +3525,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3) files_tmp_filetrans($1, user_tmp_t, $2, $3)
') ')
@ -47472,7 +47488,7 @@ index 9dc60c6..769ce74 100644
######################################## ########################################
## <summary> ## <summary>
## Read user tmpfs files. ## Read user tmpfs files.
@@ -2672,18 +3548,13 @@ interface(`userdom_tmp_filetrans_user_tmp',` @@ -2672,18 +3551,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
## </param> ## </param>
# #
interface(`userdom_read_user_tmpfs_files',` interface(`userdom_read_user_tmpfs_files',`
@ -47494,7 +47510,7 @@ index 9dc60c6..769ce74 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -2692,19 +3563,13 @@ interface(`userdom_read_user_tmpfs_files',` @@ -2692,19 +3566,13 @@ interface(`userdom_read_user_tmpfs_files',`
## </param> ## </param>
# #
interface(`userdom_rw_user_tmpfs_files',` interface(`userdom_rw_user_tmpfs_files',`
@ -47517,7 +47533,7 @@ index 9dc60c6..769ce74 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -2713,13 +3578,56 @@ interface(`userdom_rw_user_tmpfs_files',` @@ -2713,13 +3581,56 @@ interface(`userdom_rw_user_tmpfs_files',`
## </param> ## </param>
# #
interface(`userdom_manage_user_tmpfs_files',` interface(`userdom_manage_user_tmpfs_files',`
@ -47578,7 +47594,7 @@ index 9dc60c6..769ce74 100644
') ')
######################################## ########################################
@@ -2814,6 +3722,24 @@ interface(`userdom_use_user_ttys',` @@ -2814,6 +3725,24 @@ interface(`userdom_use_user_ttys',`
######################################## ########################################
## <summary> ## <summary>
@ -47603,7 +47619,7 @@ index 9dc60c6..769ce74 100644
## Read and write a user domain pty. ## Read and write a user domain pty.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -2832,22 +3758,34 @@ interface(`userdom_use_user_ptys',` @@ -2832,22 +3761,34 @@ interface(`userdom_use_user_ptys',`
######################################## ########################################
## <summary> ## <summary>
@ -47646,7 +47662,7 @@ index 9dc60c6..769ce74 100644
## </desc> ## </desc>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -2856,14 +3794,33 @@ interface(`userdom_use_user_ptys',` @@ -2856,14 +3797,33 @@ interface(`userdom_use_user_ptys',`
## </param> ## </param>
## <infoflow type="both" weight="10"/> ## <infoflow type="both" weight="10"/>
# #
@ -47684,7 +47700,7 @@ index 9dc60c6..769ce74 100644
') ')
######################################## ########################################
@@ -2882,8 +3839,27 @@ interface(`userdom_dontaudit_use_user_terminals',` @@ -2882,8 +3842,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t; type user_tty_device_t, user_devpts_t;
') ')
@ -47714,7 +47730,7 @@ index 9dc60c6..769ce74 100644
') ')
######################################## ########################################
@@ -2955,69 +3931,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` @@ -2955,69 +3934,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld; allow unpriv_userdomain $1:process sigchld;
') ')
@ -47815,7 +47831,7 @@ index 9dc60c6..769ce74 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -3025,12 +4000,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` @@ -3025,12 +4003,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -47830,7 +47846,7 @@ index 9dc60c6..769ce74 100644
') ')
######################################## ########################################
@@ -3094,7 +4069,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` @@ -3094,7 +4072,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain) domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use; allow unpriv_userdomain $1:fd use;
@ -47839,7 +47855,7 @@ index 9dc60c6..769ce74 100644
allow unpriv_userdomain $1:process sigchld; allow unpriv_userdomain $1:process sigchld;
') ')
@@ -3110,29 +4085,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` @@ -3110,29 +4088,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
# #
interface(`userdom_search_user_home_content',` interface(`userdom_search_user_home_content',`
gen_require(` gen_require(`
@ -47873,7 +47889,7 @@ index 9dc60c6..769ce74 100644
') ')
######################################## ########################################
@@ -3214,7 +4173,25 @@ interface(`userdom_dontaudit_use_user_ptys',` @@ -3214,7 +4176,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t; type user_devpts_t;
') ')
@ -47900,7 +47916,7 @@ index 9dc60c6..769ce74 100644
') ')
######################################## ########################################
@@ -3269,12 +4246,13 @@ interface(`userdom_write_user_tmp_files',` @@ -3269,12 +4249,13 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t; type user_tmp_t;
') ')
@ -47916,7 +47932,7 @@ index 9dc60c6..769ce74 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -3282,46 +4260,122 @@ interface(`userdom_write_user_tmp_files',` @@ -3282,46 +4263,122 @@ interface(`userdom_write_user_tmp_files',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -48052,7 +48068,7 @@ index 9dc60c6..769ce74 100644
') ')
allow $1 userdomain:process getattr; allow $1 userdomain:process getattr;
@@ -3382,6 +4436,42 @@ interface(`userdom_signal_all_users',` @@ -3382,6 +4439,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal; allow $1 userdomain:process signal;
') ')
@ -48095,7 +48111,7 @@ index 9dc60c6..769ce74 100644
######################################## ########################################
## <summary> ## <summary>
## Send a SIGCHLD signal to all user domains. ## Send a SIGCHLD signal to all user domains.
@@ -3402,6 +4492,60 @@ interface(`userdom_sigchld_all_users',` @@ -3402,6 +4495,60 @@ interface(`userdom_sigchld_all_users',`
######################################## ########################################
## <summary> ## <summary>
@ -48156,7 +48172,7 @@ index 9dc60c6..769ce74 100644
## Create keys for all user domains. ## Create keys for all user domains.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -3435,4 +4579,1691 @@ interface(`userdom_dbus_send_all_users',` @@ -3435,4 +4582,1691 @@ interface(`userdom_dbus_send_all_users',`
') ')
allow $1 userdomain:dbus send_msg; allow $1 userdomain:dbus send_msg;

398
policy-rawhide-contrib.patch
View File

@ -546,7 +546,7 @@ index 058d908..158acba 100644
+') +')
+ +
diff --git a/abrt.te b/abrt.te diff --git a/abrt.te b/abrt.te
index eb50f07..a0f044b 100644 index eb50f07..d6d0e34 100644
--- a/abrt.te --- a/abrt.te
+++ b/abrt.te +++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@ -1054,7 +1054,7 @@ index eb50f07..a0f044b 100644
####################################### #######################################
# #
@@ -404,25 +517,58 @@ logging_read_generic_logs(abrt_dump_oops_t) @@ -404,25 +517,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
# #
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@ -1086,7 +1086,7 @@ index eb50f07..a0f044b 100644
# Upload watch local policy # Upload watch local policy
# #
+allow abrt_upload_watch_t self:capability { dac_override chown }; +allow abrt_upload_watch_t self:capability { dac_override chown fsetid };
+ +
+manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) +manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+manage_dirs_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) +manage_dirs_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
@ -1096,6 +1096,8 @@ index eb50f07..a0f044b 100644
+read_files_pattern(abrt_upload_watch_t, abrt_etc_t, abrt_etc_t) +read_files_pattern(abrt_upload_watch_t, abrt_etc_t, abrt_etc_t)
+ +
+manage_dirs_pattern(abrt_upload_watch_t, abrt_var_cache_t, abrt_var_cache_t) +manage_dirs_pattern(abrt_upload_watch_t, abrt_var_cache_t, abrt_var_cache_t)
+
+abrt_dbus_chat(abrt_upload_watch_t)
+ +
corecmd_exec_bin(abrt_upload_watch_t) corecmd_exec_bin(abrt_upload_watch_t)
@ -1115,7 +1117,7 @@ index eb50f07..a0f044b 100644
') ')
####################################### #######################################
@@ -430,10 +576,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` @@ -430,10 +578,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
# Global local policy # Global local policy
# #
@ -5173,10 +5175,10 @@ index f6eb485..164501c 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
') ')
diff --git a/apache.te b/apache.te diff --git a/apache.te b/apache.te
index 6649962..44258d7 100644 index 6649962..fc23c8a 100644
--- a/apache.te --- a/apache.te
+++ b/apache.te +++ b/apache.te
@@ -5,280 +5,339 @@ policy_module(apache, 2.7.2) @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
# Declarations # Declarations
# #
@ -5251,6 +5253,13 @@ index 6649962..44258d7 100644
+ +
+## <desc> +## <desc>
+## <p> +## <p>
+## Allow httpd processes to run IPA helper.
+## </p>
+## </desc>
+gen_tunable(httpd_run_ipa, false)
+
+## <desc>
+## <p>
+## Allow httpd to use built in scripting (usually php) +## Allow httpd to use built in scripting (usually php)
+## </p> +## </p>
+## </desc> +## </desc>
@ -5305,23 +5314,23 @@ index 6649962..44258d7 100644
-## </p> -## </p>
+## <p> +## <p>
+## Allow HTTPD scripts and modules to connect to databases over the network. +## Allow HTTPD scripts and modules to connect to databases over the network.
+## </p>
+## </desc>
+gen_tunable(httpd_can_network_connect_db, false)
+
+## <desc>
+## <p>
+## Allow httpd to connect to memcache server
+## </p> +## </p>
## </desc> ## </desc>
-gen_tunable(httpd_can_network_connect_memcache, false) -gen_tunable(httpd_can_network_connect_memcache, false)
+gen_tunable(httpd_can_network_connect_db, false) +gen_tunable(httpd_can_network_memcache, false)
## <desc> ## <desc>
-## <p> -## <p>
-## Determine whether httpd can act as a relay. -## Determine whether httpd can act as a relay.
-## </p> -## </p>
+## <p> +## <p>
+## Allow httpd to connect to memcache server
+## </p>
+## </desc>
+gen_tunable(httpd_can_network_memcache, false)
+
+## <desc>
+## <p>
+## Allow httpd to act as a relay +## Allow httpd to act as a relay
+## </p> +## </p>
## </desc> ## </desc>
@ -5662,7 +5671,7 @@ index 6649962..44258d7 100644
type httpd_initrc_exec_t; type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t) init_script_file(httpd_initrc_exec_t)
@@ -286,15 +345,35 @@ init_script_file(httpd_initrc_exec_t) @@ -286,15 +352,35 @@ init_script_file(httpd_initrc_exec_t)
type httpd_keytab_t; type httpd_keytab_t;
files_type(httpd_keytab_t) files_type(httpd_keytab_t)
@ -5698,7 +5707,7 @@ index 6649962..44258d7 100644
type httpd_rotatelogs_t; type httpd_rotatelogs_t;
type httpd_rotatelogs_exec_t; type httpd_rotatelogs_exec_t;
init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
@@ -302,10 +381,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) @@ -302,10 +388,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
type httpd_squirrelmail_t; type httpd_squirrelmail_t;
files_type(httpd_squirrelmail_t) files_type(httpd_squirrelmail_t)
@ -5711,7 +5720,7 @@ index 6649962..44258d7 100644
type httpd_suexec_exec_t; type httpd_suexec_exec_t;
domain_type(httpd_suexec_t) domain_type(httpd_suexec_t)
domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t) domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
@@ -314,9 +391,19 @@ role system_r types httpd_suexec_t; @@ -314,9 +398,19 @@ role system_r types httpd_suexec_t;
type httpd_suexec_tmp_t; type httpd_suexec_tmp_t;
files_tmp_file(httpd_suexec_tmp_t) files_tmp_file(httpd_suexec_tmp_t)
@ -5734,7 +5743,7 @@ index 6649962..44258d7 100644
type httpd_tmp_t; type httpd_tmp_t;
files_tmp_file(httpd_tmp_t) files_tmp_file(httpd_tmp_t)
@@ -324,14 +411,21 @@ files_tmp_file(httpd_tmp_t) @@ -324,14 +418,21 @@ files_tmp_file(httpd_tmp_t)
type httpd_tmpfs_t; type httpd_tmpfs_t;
files_tmpfs_file(httpd_tmpfs_t) files_tmpfs_file(httpd_tmpfs_t)
@ -5757,7 +5766,7 @@ index 6649962..44258d7 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
@@ -346,33 +440,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad @@ -346,33 +447,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t }; typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t }; typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
@ -5809,7 +5818,7 @@ index 6649962..44258d7 100644
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use; allow httpd_t self:fd use;
allow httpd_t self:sock_file read_sock_file_perms; allow httpd_t self:sock_file read_sock_file_perms;
@@ -381,30 +482,39 @@ allow httpd_t self:shm create_shm_perms; @@ -381,30 +489,39 @@ allow httpd_t self:shm create_shm_perms;
allow httpd_t self:sem create_sem_perms; allow httpd_t self:sem create_sem_perms;
allow httpd_t self:msgq create_msgq_perms; allow httpd_t self:msgq create_msgq_perms;
allow httpd_t self:msg { send receive }; allow httpd_t self:msg { send receive };
@ -5854,7 +5863,7 @@ index 6649962..44258d7 100644
logging_log_filetrans(httpd_t, httpd_log_t, file) logging_log_filetrans(httpd_t, httpd_log_t, file)
allow httpd_t httpd_modules_t:dir list_dir_perms; allow httpd_t httpd_modules_t:dir list_dir_perms;
@@ -412,14 +522,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) @@ -412,14 +529,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@ -5876,7 +5885,7 @@ index 6649962..44258d7 100644
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -450,140 +567,174 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) @@ -450,140 +574,174 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@ -5944,7 +5953,7 @@ index 6649962..44258d7 100644
+fs_read_hugetlbfs_files(httpd_t) +fs_read_hugetlbfs_files(httpd_t)
+ +
+auth_use_nsswitch(httpd_t) +auth_use_nsswitch(httpd_t)
+
+application_exec_all(httpd_t) +application_exec_all(httpd_t)
+ +
+# execute perl +# execute perl
@ -5953,7 +5962,7 @@ index 6649962..44258d7 100644
+ +
+domain_use_interactive_fds(httpd_t) +domain_use_interactive_fds(httpd_t)
+domain_dontaudit_read_all_domains_state(httpd_t) +domain_dontaudit_read_all_domains_state(httpd_t)
+
+files_dontaudit_search_all_pids(httpd_t) +files_dontaudit_search_all_pids(httpd_t)
files_dontaudit_getattr_all_pids(httpd_t) files_dontaudit_getattr_all_pids(httpd_t)
-files_read_usr_files(httpd_t) -files_read_usr_files(httpd_t)
@ -6116,7 +6125,7 @@ index 6649962..44258d7 100644
') ')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
@@ -594,28 +745,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` @@ -594,28 +752,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t) fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
') ')
@ -6176,7 +6185,7 @@ index 6649962..44258d7 100644
') ')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -624,68 +797,46 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` @@ -624,68 +804,46 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t) fs_read_nfs_symlinks(httpd_t)
') ')
@ -6269,7 +6278,7 @@ index 6649962..44258d7 100644
') ')
tunable_policy(`httpd_setrlimit',` tunable_policy(`httpd_setrlimit',`
@@ -695,49 +846,48 @@ tunable_policy(`httpd_setrlimit',` @@ -695,49 +853,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',` tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@ -6290,17 +6299,17 @@ index 6649962..44258d7 100644
- userdom_use_user_terminals(httpd_t) - userdom_use_user_terminals(httpd_t)
-',` -',`
- userdom_dontaudit_use_user_terminals(httpd_t) - userdom_dontaudit_use_user_terminals(httpd_t)
-') + userdom_use_inherited_user_terminals(httpd_t)
- + userdom_use_inherited_user_terminals(httpd_suexec_t)
')
-tunable_policy(`httpd_use_cifs',` -tunable_policy(`httpd_use_cifs',`
- fs_list_auto_mountpoints(httpd_t) - fs_list_auto_mountpoints(httpd_t)
- fs_manage_cifs_dirs(httpd_t) - fs_manage_cifs_dirs(httpd_t)
- fs_manage_cifs_files(httpd_t) - fs_manage_cifs_files(httpd_t)
- fs_manage_cifs_symlinks(httpd_t) - fs_manage_cifs_symlinks(httpd_t)
+ userdom_use_inherited_user_terminals(httpd_t) -')
+ userdom_use_inherited_user_terminals(httpd_suexec_t) -
')
-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',` -tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
- fs_exec_cifs_files(httpd_t) - fs_exec_cifs_files(httpd_t)
-') -')
@ -6350,7 +6359,7 @@ index 6649962..44258d7 100644
') ')
optional_policy(` optional_policy(`
@@ -749,24 +899,32 @@ optional_policy(` @@ -749,24 +906,32 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -6389,7 +6398,7 @@ index 6649962..44258d7 100644
') ')
optional_policy(` optional_policy(`
@@ -775,6 +933,10 @@ optional_policy(` @@ -775,6 +940,10 @@ optional_policy(`
tunable_policy(`httpd_dbus_avahi',` tunable_policy(`httpd_dbus_avahi',`
avahi_dbus_chat(httpd_t) avahi_dbus_chat(httpd_t)
') ')
@ -6400,7 +6409,7 @@ index 6649962..44258d7 100644
') ')
optional_policy(` optional_policy(`
@@ -786,35 +948,60 @@ optional_policy(` @@ -786,35 +955,60 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -6474,10 +6483,22 @@ index 6649962..44258d7 100644
tunable_policy(`httpd_manage_ipa',` tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t) memcached_manage_pid_files(httpd_t)
@@ -822,8 +1009,18 @@ optional_policy(` @@ -822,8 +1016,30 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
+ tunable_policy(`httpd_run_ipa',`
+ oddjob_dbus_chat(httpd_t)
+ ')
+')
+
+optional_policy(`
+ tunable_policy(`httpd_run_ipa',`
+ ipa_domtrans_helper(httpd_t)
+ ')
+')
+
+optional_policy(`
+ munin_read_config(httpd_t) + munin_read_config(httpd_t)
+') +')
+ +
@ -6493,7 +6514,7 @@ index 6649962..44258d7 100644
tunable_policy(`httpd_can_network_connect_db',` tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t) mysql_tcp_connect(httpd_t)
@@ -832,6 +1029,8 @@ optional_policy(` @@ -832,6 +1048,8 @@ optional_policy(`
optional_policy(` optional_policy(`
nagios_read_config(httpd_t) nagios_read_config(httpd_t)
@ -6502,7 +6523,7 @@ index 6649962..44258d7 100644
') ')
optional_policy(` optional_policy(`
@@ -842,20 +1041,40 @@ optional_policy(` @@ -842,20 +1060,40 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -6537,19 +6558,19 @@ index 6649962..44258d7 100644
- ') - ')
+optional_policy(` +optional_policy(`
+ puppet_read_lib(httpd_t) + puppet_read_lib(httpd_t)
+')
+
+optional_policy(`
+ pwauth_domtrans(httpd_t)
') ')
optional_policy(` optional_policy(`
- puppet_read_lib_files(httpd_t) - puppet_read_lib_files(httpd_t)
+ pwauth_domtrans(httpd_t)
+')
+
+optional_policy(`
+ rpm_dontaudit_read_db(httpd_t) + rpm_dontaudit_read_db(httpd_t)
') ')
optional_policy(` optional_policy(`
@@ -863,16 +1082,31 @@ optional_policy(` @@ -863,16 +1101,31 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -6583,7 +6604,7 @@ index 6649962..44258d7 100644
') ')
optional_policy(` optional_policy(`
@@ -883,65 +1117,189 @@ optional_policy(` @@ -883,65 +1136,189 @@ optional_policy(`
yam_read_content(httpd_t) yam_read_content(httpd_t)
') ')
@ -6672,10 +6693,11 @@ index 6649962..44258d7 100644
-',` -',`
- userdom_dontaudit_use_user_terminals(httpd_helper_t) - userdom_dontaudit_use_user_terminals(httpd_helper_t)
+ userdom_use_inherited_user_terminals(httpd_helper_t) + userdom_use_inherited_user_terminals(httpd_helper_t)
+') ')
+
+######################################## ########################################
+# #
-# Suexec local policy
+# Apache PHP script local policy +# Apache PHP script local policy
+# +#
+ +
@ -6734,11 +6756,10 @@ index 6649962..44258d7 100644
+ tunable_policy(`httpd_can_network_connect_db',` + tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_php_t) + postgresql_tcp_connect(httpd_php_t)
+ ') + ')
') +')
+
######################################## +########################################
# +#
-# Suexec local policy
+# Apache suexec local policy +# Apache suexec local policy
# #
@ -6795,7 +6816,7 @@ index 6649962..44258d7 100644
files_dontaudit_search_pids(httpd_suexec_t) files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t) files_search_home(httpd_suexec_t)
@@ -950,123 +1308,74 @@ auth_use_nsswitch(httpd_suexec_t) @@ -950,123 +1327,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t) logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t)
@ -6950,7 +6971,7 @@ index 6649962..44258d7 100644
mysql_read_config(httpd_suexec_t) mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',` tunable_policy(`httpd_can_network_connect_db',`
@@ -1083,172 +1392,107 @@ optional_policy(` @@ -1083,172 +1411,107 @@ optional_policy(`
') ')
') ')
@ -6972,11 +6993,11 @@ index 6649962..44258d7 100644
-allow httpd_script_domains self:unix_stream_socket connectto; -allow httpd_script_domains self:unix_stream_socket connectto;
- -
-allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms; -allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
+allow httpd_sys_script_t self:process getsched; -
-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) -append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) -read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
- +allow httpd_sys_script_t self:process getsched;
-kernel_dontaudit_search_sysctl(httpd_script_domains) -kernel_dontaudit_search_sysctl(httpd_script_domains)
-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains) -kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
- -
@ -7133,7 +7154,8 @@ index 6649962..44258d7 100644
-kernel_read_kernel_sysctls(httpd_sys_script_t) -kernel_read_kernel_sysctls(httpd_sys_script_t)
- -
-fs_search_auto_mountpoints(httpd_sys_script_t) -fs_search_auto_mountpoints(httpd_sys_script_t)
- +corenet_all_recvfrom_netlabel(httpd_sys_script_t)
-files_read_var_symlinks(httpd_sys_script_t) -files_read_var_symlinks(httpd_sys_script_t)
-files_search_var_lib(httpd_sys_script_t) -files_search_var_lib(httpd_sys_script_t)
-files_search_spool(httpd_sys_script_t) -files_search_spool(httpd_sys_script_t)
@ -7141,8 +7163,7 @@ index 6649962..44258d7 100644
-apache_domtrans_rotatelogs(httpd_sys_script_t) -apache_domtrans_rotatelogs(httpd_sys_script_t)
- -
-auth_use_nsswitch(httpd_sys_script_t) -auth_use_nsswitch(httpd_sys_script_t)
+corenet_all_recvfrom_netlabel(httpd_sys_script_t) -
-tunable_policy(`httpd_can_sendmail',` -tunable_policy(`httpd_can_sendmail',`
- corenet_sendrecv_smtp_client_packets(httpd_sys_script_t) - corenet_sendrecv_smtp_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_smtp_port(httpd_sys_script_t) - corenet_tcp_connect_smtp_port(httpd_sys_script_t)
@ -7188,7 +7209,7 @@ index 6649962..44258d7 100644
') ')
tunable_policy(`httpd_read_user_content',` tunable_policy(`httpd_read_user_content',`
@@ -1256,64 +1500,74 @@ tunable_policy(`httpd_read_user_content',` @@ -1256,64 +1519,74 @@ tunable_policy(`httpd_read_user_content',`
') ')
tunable_policy(`httpd_use_cifs',` tunable_policy(`httpd_use_cifs',`
@ -7285,7 +7306,7 @@ index 6649962..44258d7 100644
######################################## ########################################
# #
@@ -1321,8 +1575,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) @@ -1321,8 +1594,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
# #
optional_policy(` optional_policy(`
@ -7302,7 +7323,7 @@ index 6649962..44258d7 100644
') ')
######################################## ########################################
@@ -1330,49 +1591,38 @@ optional_policy(` @@ -1330,49 +1610,38 @@ optional_policy(`
# User content local policy # User content local policy
# #
@ -7367,7 +7388,7 @@ index 6649962..44258d7 100644
kernel_read_system_state(httpd_passwd_t) kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t)
@@ -1382,38 +1632,109 @@ dev_read_urand(httpd_passwd_t) @@ -1382,38 +1651,109 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t)
@ -25135,10 +25156,10 @@ index 0000000..457d4dd
+') +')
diff --git a/dnssec.te b/dnssec.te diff --git a/dnssec.te b/dnssec.te
new file mode 100644 new file mode 100644
index 0000000..1e0a31f index 0000000..6d795fe
--- /dev/null --- /dev/null
+++ b/dnssec.te +++ b/dnssec.te
@@ -0,0 +1,74 @@ @@ -0,0 +1,81 @@
+policy_module(dnssec, 1.0.0) +policy_module(dnssec, 1.0.0)
+ +
+######################################## +########################################
@ -25156,6 +25177,9 @@ index 0000000..1e0a31f
+type dnssec_trigger_var_run_t; +type dnssec_trigger_var_run_t;
+files_pid_file(dnssec_trigger_var_run_t) +files_pid_file(dnssec_trigger_var_run_t)
+ +
+type dnssec_trigger_tmp_t;
+files_tmp_file(dnssec_trigger_tmp_t)
+
+######################################## +########################################
+# +#
+# dnssec_trigger local policy +# dnssec_trigger local policy
@ -25171,6 +25195,10 @@ index 0000000..1e0a31f
+manage_files_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t) +manage_files_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
+files_pid_filetrans(dnssec_trigger_t, dnssec_trigger_var_run_t, { dir file }) +files_pid_filetrans(dnssec_trigger_t, dnssec_trigger_var_run_t, { dir file })
+ +
+manage_files_pattern(dnssec_trigger_t,dnssec_trigger_tmp_t,dnssec_trigger_tmp_t)
+manage_dirs_pattern(dnssec_trigger_t,dnssec_trigger_tmp_t,dnssec_trigger_tmp_t)
+files_tmp_filetrans(dnssec_trigger_t,dnssec_trigger_tmp_t,{ file dir })
+
+kernel_read_system_state(dnssec_trigger_t) +kernel_read_system_state(dnssec_trigger_t)
+ +
+corecmd_exec_bin(dnssec_trigger_t) +corecmd_exec_bin(dnssec_trigger_t)
@ -28721,7 +28749,7 @@ index 4498143..84a4858 100644
ftp_run_ftpdctl($1, $2) ftp_run_ftpdctl($1, $2)
') ')
diff --git a/ftp.te b/ftp.te diff --git a/ftp.te b/ftp.te
index 36838c2..a422d04 100644 index 36838c2..a09e8b2 100644
--- a/ftp.te --- a/ftp.te
+++ b/ftp.te +++ b/ftp.te
@@ -13,7 +13,7 @@ policy_module(ftp, 1.15.1) @@ -13,7 +13,7 @@ policy_module(ftp, 1.15.1)
@ -28767,22 +28795,7 @@ index 36838c2..a422d04 100644
## <desc> ## <desc>
## <p> ## <p>
@@ -50,14 +57,6 @@ gen_tunable(ftpd_connect_db, false) @@ -124,6 +131,9 @@ files_config_file(ftpd_etc_t)
## <desc>
## <p>
-## Determine whether ftpd can bind to all
-## unreserved ports for passive mode.
-## </p>
-## </desc>
-gen_tunable(ftpd_use_passive_mode, false)
-
-## <desc>
-## <p>
## Determine whether ftpd can connect to
## all unreserved ports.
## </p>
@@ -124,6 +123,9 @@ files_config_file(ftpd_etc_t)
type ftpd_initrc_exec_t; type ftpd_initrc_exec_t;
init_script_file(ftpd_initrc_exec_t) init_script_file(ftpd_initrc_exec_t)
@ -28792,7 +28805,7 @@ index 36838c2..a422d04 100644
type ftpd_keytab_t; type ftpd_keytab_t;
files_type(ftpd_keytab_t) files_type(ftpd_keytab_t)
@@ -184,6 +186,9 @@ allow ftpd_t ftpd_keytab_t:file read_file_perms; @@ -184,6 +194,9 @@ allow ftpd_t ftpd_keytab_t:file read_file_perms;
allow ftpd_t ftpd_lock_t:file manage_file_perms; allow ftpd_t ftpd_lock_t:file manage_file_perms;
files_lock_filetrans(ftpd_t, ftpd_lock_t, file) files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
@ -28802,7 +28815,7 @@ index 36838c2..a422d04 100644
manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
@@ -198,22 +203,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir }) @@ -198,22 +211,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms; allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms;
@ -28829,7 +28842,7 @@ index 36838c2..a422d04 100644
corenet_all_recvfrom_netlabel(ftpd_t) corenet_all_recvfrom_netlabel(ftpd_t)
corenet_tcp_sendrecv_generic_if(ftpd_t) corenet_tcp_sendrecv_generic_if(ftpd_t)
corenet_udp_sendrecv_generic_if(ftpd_t) corenet_udp_sendrecv_generic_if(ftpd_t)
@@ -229,9 +231,12 @@ corenet_tcp_bind_ftp_port(ftpd_t) @@ -229,9 +239,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
corenet_sendrecv_ftp_data_server_packets(ftpd_t) corenet_sendrecv_ftp_data_server_packets(ftpd_t)
corenet_tcp_bind_ftp_data_port(ftpd_t) corenet_tcp_bind_ftp_data_port(ftpd_t)
@ -28843,7 +28856,7 @@ index 36838c2..a422d04 100644
files_read_etc_runtime_files(ftpd_t) files_read_etc_runtime_files(ftpd_t)
files_search_var_lib(ftpd_t) files_search_var_lib(ftpd_t)
@@ -250,7 +255,6 @@ logging_send_audit_msgs(ftpd_t) @@ -250,7 +263,6 @@ logging_send_audit_msgs(ftpd_t)
logging_send_syslog_msg(ftpd_t) logging_send_syslog_msg(ftpd_t)
logging_set_loginuid(ftpd_t) logging_set_loginuid(ftpd_t)
@ -28851,7 +28864,7 @@ index 36838c2..a422d04 100644
miscfiles_read_public_files(ftpd_t) miscfiles_read_public_files(ftpd_t)
seutil_dontaudit_search_config(ftpd_t) seutil_dontaudit_search_config(ftpd_t)
@@ -259,37 +263,47 @@ sysnet_use_ldap(ftpd_t) @@ -259,32 +271,50 @@ sysnet_use_ldap(ftpd_t)
userdom_dontaudit_use_unpriv_user_fds(ftpd_t) userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
userdom_dontaudit_search_user_home_dirs(ftpd_t) userdom_dontaudit_search_user_home_dirs(ftpd_t)
@ -28898,18 +28911,18 @@ index 36838c2..a422d04 100644
- files_manage_non_auth_files(ftpd_t) - files_manage_non_auth_files(ftpd_t)
+ files_manage_non_security_dirs(ftpd_t) + files_manage_non_security_dirs(ftpd_t)
+ files_manage_non_security_files(ftpd_t) + files_manage_non_security_files(ftpd_t)
') +')
+
-tunable_policy(`ftpd_use_passive_mode',` +tunable_policy(`ftpd_use_passive_mode',`
- corenet_sendrecv_all_server_packets(ftpd_t) + corenet_tcp_bind_all_unreserved_ports(ftpd_t)
- corenet_tcp_bind_all_unreserved_ports(ftpd_t) +')
+ +
+tunable_policy(`ftpd_connect_all_unreserved',` +tunable_policy(`ftpd_connect_all_unreserved',`
+ corenet_tcp_connect_all_unreserved_ports(ftpd_t) + corenet_tcp_connect_all_unreserved_ports(ftpd_t)
') ')
tunable_policy(`ftpd_connect_all_unreserved',` tunable_policy(`ftpd_use_passive_mode',`
@@ -304,22 +318,19 @@ tunable_policy(`ftpd_connect_db',` @@ -304,22 +334,19 @@ tunable_policy(`ftpd_connect_db',`
corenet_sendrecv_mssql_client_packets(ftpd_t) corenet_sendrecv_mssql_client_packets(ftpd_t)
corenet_tcp_connect_mssql_port(ftpd_t) corenet_tcp_connect_mssql_port(ftpd_t)
corenet_tcp_sendrecv_mssql_port(ftpd_t) corenet_tcp_sendrecv_mssql_port(ftpd_t)
@ -28937,7 +28950,7 @@ index 36838c2..a422d04 100644
userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file }) userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
') ')
@@ -363,9 +374,8 @@ optional_policy(` @@ -363,9 +390,8 @@ optional_policy(`
optional_policy(` optional_policy(`
selinux_validate_context(ftpd_t) selinux_validate_context(ftpd_t)
@ -28948,7 +28961,7 @@ index 36838c2..a422d04 100644
kerberos_use(ftpd_t) kerberos_use(ftpd_t)
') ')
@@ -416,21 +426,20 @@ optional_policy(` @@ -416,21 +442,20 @@ optional_policy(`
# #
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@ -28972,7 +28985,7 @@ index 36838c2..a422d04 100644
miscfiles_read_public_files(anon_sftpd_t) miscfiles_read_public_files(anon_sftpd_t)
@@ -443,23 +452,34 @@ tunable_policy(`sftpd_anon_write',` @@ -443,23 +468,34 @@ tunable_policy(`sftpd_anon_write',`
# Sftpd local policy # Sftpd local policy
# #
@ -29013,7 +29026,7 @@ index 36838c2..a422d04 100644
') ')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
@@ -481,21 +501,11 @@ tunable_policy(`sftpd_anon_write',` @@ -481,21 +517,11 @@ tunable_policy(`sftpd_anon_write',`
tunable_policy(`sftpd_full_access',` tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search }; allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t) fs_read_noxattr_fs_files(sftpd_t)
@ -36212,24 +36225,26 @@ index 0000000..61f2003
+userdom_use_user_terminals(iotop_t) +userdom_use_user_terminals(iotop_t)
diff --git a/ipa.fc b/ipa.fc diff --git a/ipa.fc b/ipa.fc
new file mode 100644 new file mode 100644
index 0000000..877a747 index 0000000..db194ec
--- /dev/null --- /dev/null
+++ b/ipa.fc +++ b/ipa.fc
@@ -0,0 +1,8 @@ @@ -0,0 +1,10 @@
+/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0) +/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0)
+ +
+/usr/libexec/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0) +/usr/libexec/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
+ +
+/usr/libexec/ipa/com\.redhat\.idm\.trust-fetch-domains -- gen_context(system_u:object_r:ipa_helper_exec_t,s0)
+
+/var/lib/ipa(/.*)? gen_context(system_u:object_r:ipa_var_lib_t,s0) +/var/lib/ipa(/.*)? gen_context(system_u:object_r:ipa_var_lib_t,s0)
+ +
+/var/run/ipa(/.*)? gen_context(system_u:object_r:ipa_var_run_t,s0) +/var/run/ipa(/.*)? gen_context(system_u:object_r:ipa_var_run_t,s0)
+ +
diff --git a/ipa.if b/ipa.if diff --git a/ipa.if b/ipa.if
new file mode 100644 new file mode 100644
index 0000000..789b3e8 index 0000000..de83173
--- /dev/null --- /dev/null
+++ b/ipa.if +++ b/ipa.if
@@ -0,0 +1,112 @@ @@ -0,0 +1,150 @@
+## <summary>Policy for IPA services.</summary> +## <summary>Policy for IPA services.</summary>
+ +
+######################################## +########################################
@ -36270,6 +36285,44 @@ index 0000000..789b3e8
+ +
+######################################## +########################################
+## <summary> +## <summary>
+## Execute ipa-helper in the ipa_helper domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ipa_domtrans_helper',`
+ gen_require(`
+ type ipa_helper_t, ipa_helper_exec_t;
+ ')
+
+ domtrans_pattern($1, ipa_helper_exec_t, ipa_helper_t)
+')
+
+########################################
+## <summary>
+## Execute ipa-helper in the ipa_helper domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ipa_run_helper',`
+ gen_require(`
+ type ipa_helper_t;
+ attribute_role ipa_helper_roles;
+ ')
+
+ ipa_domtrans_helper($1)
+ roleattribute $2 ipa_helper_roles;
+')
+
+########################################
+## <summary>
+## Allow domain to manage ipa lib files/dirs. +## Allow domain to manage ipa lib files/dirs.
+## </summary> +## </summary>
+## <param name="domain"> +## <param name="domain">
@ -36344,10 +36397,10 @@ index 0000000..789b3e8
+ +
diff --git a/ipa.te b/ipa.te diff --git a/ipa.te b/ipa.te
new file mode 100644 new file mode 100644
index 0000000..a7f09d25 index 0000000..7d70dcb
--- /dev/null --- /dev/null
+++ b/ipa.te +++ b/ipa.te
@@ -0,0 +1,50 @@ @@ -0,0 +1,113 @@
+policy_module(ipa, 1.0.0) +policy_module(ipa, 1.0.0)
+ +
+######################################## +########################################
@ -36357,6 +36410,9 @@ index 0000000..a7f09d25
+ +
+attribute ipa_domain; +attribute ipa_domain;
+ +
+attribute_role ipa_helper_roles;
+roleattribute system_r ipa_helper_roles;
+
+type ipa_otpd_t, ipa_domain; +type ipa_otpd_t, ipa_domain;
+type ipa_otpd_exec_t; +type ipa_otpd_exec_t;
+init_daemon_domain(ipa_otpd_t, ipa_otpd_exec_t) +init_daemon_domain(ipa_otpd_t, ipa_otpd_exec_t)
@ -36370,6 +36426,13 @@ index 0000000..a7f09d25
+type ipa_var_run_t; +type ipa_var_run_t;
+files_pid_file(ipa_var_run_t) +files_pid_file(ipa_var_run_t)
+ +
+type ipa_helper_t;
+type ipa_helper_exec_t;
+domain_type(ipa_helper_t)
+domain_obj_id_change_exemption(ipa_helper_t)
+init_system_domain(ipa_helper_t, ipa_helper_exec_t)
+role ipa_helper_roles types ipa_helper_t;
+
+######################################## +########################################
+# +#
+# ipa_otpd local policy +# ipa_otpd local policy
@ -36398,6 +36461,59 @@ index 0000000..a7f09d25
+optional_policy(` +optional_policy(`
+ kerberos_use(ipa_otpd_t) + kerberos_use(ipa_otpd_t)
+') +')
+
+########################################
+#
+# ipa-helper local policy
+#
+
+
+allow ipa_helper_t self:capability { dac_override chown };
+
+allow ipa_helper_t self:process setfscreate;
+allow ipa_helper_t self:fifo_file rw_fifo_file_perms;
+allow ipa_helper_t self:netlink_route_socket r_netlink_socket_perms;
+
+kernel_read_system_state(ipa_helper_t)
+
+corenet_tcp_connect_ldap_port(ipa_helper_t)
+corenet_tcp_connect_smbd_port(ipa_helper_t)
+
+corecmd_exec_bin(ipa_helper_t)
+corecmd_exec_shell(ipa_helper_t)
+
+dev_read_urand(ipa_helper_t)
+
+auth_use_nsswitch(ipa_helper_t)
+
+ipa_manage_pid_files(ipa_helper_t)
+ipa_read_lib(ipa_helper_t)
+
+logging_send_syslog_msg(ipa_helper_t)
+
+optional_policy(`
+ ldap_stream_connect(ipa_helper_t)
+')
+
+optional_policy(`
+ libs_exec_ldconfig(ipa_helper_t)
+')
+
+optional_policy(`
+ memcached_stream_connect(ipa_helper_t)
+')
+
+optional_policy(`
+ oddjob_system_entry(ipa_helper_t, ipa_helper_exec_t)
+')
+
+optional_policy(`
+ samba_read_config(ipa_helper_t)
+')
+
+optional_policy(`
+ sssd_manage_lib_files(ipa_helper_t)
+')
diff --git a/irc.fc b/irc.fc diff --git a/irc.fc b/irc.fc
index 48e7739..1bf0326 100644 index 48e7739..1bf0326 100644
--- a/irc.fc --- a/irc.fc
@ -50280,7 +50396,7 @@ index f42896c..bd1eb52 100644
+/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) +/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/smtpd(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) +/var/spool/smtpd(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/mta.if b/mta.if diff --git a/mta.if b/mta.if
index ed81cac..80e6086 100644 index ed81cac..ad452db 100644
--- a/mta.if --- a/mta.if
+++ b/mta.if +++ b/mta.if
@@ -1,4 +1,4 @@ @@ -1,4 +1,4 @@
@ -51236,7 +51352,7 @@ index ed81cac..80e6086 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -1081,3 +1067,201 @@ interface(`mta_rw_user_mail_stream_sockets',` @@ -1081,3 +1067,204 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
') ')
@ -51435,6 +51551,9 @@ index ed81cac..80e6086 100644
+ mta_etc_filetrans_aliases($1, "aliases.db") + mta_etc_filetrans_aliases($1, "aliases.db")
+ mta_etc_filetrans_aliases($1, "aliasesdb-stamp") + mta_etc_filetrans_aliases($1, "aliasesdb-stamp")
+ mta_etc_filetrans_aliases($1, "__db.aliases.db") + mta_etc_filetrans_aliases($1, "__db.aliases.db")
+ mta_etc_filetrans_aliases($1, "virtusertable.db")
+ mta_etc_filetrans_aliases($1, "access.db")
+ mta_etc_filetrans_aliases($1, "domaintable.db")
+ mta_filetrans_home_content($1) + mta_filetrans_home_content($1)
+ mta_filetrans_admin_home_content($1) + mta_filetrans_admin_home_content($1)
+') +')
@ -54225,7 +54344,7 @@ index d78dfc3..40e1c77 100644
-/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) -/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
diff --git a/nagios.if b/nagios.if diff --git a/nagios.if b/nagios.if
index 0641e97..ed3394e 100644 index 0641e97..438eeb3 100644
--- a/nagios.if --- a/nagios.if
+++ b/nagios.if +++ b/nagios.if
@@ -1,12 +1,13 @@ @@ -1,12 +1,13 @@
@ -54247,7 +54366,7 @@ index 0641e97..ed3394e 100644
## </summary> ## </summary>
## </param> ## </param>
# #
@@ -16,38 +17,31 @@ template(`nagios_plugin_template',` @@ -16,38 +17,51 @@ template(`nagios_plugin_template',`
type nagios_t, nrpe_t; type nagios_t, nrpe_t;
') ')
@ -54280,6 +54399,26 @@ index 0641e97..ed3394e 100644
## <summary> ## <summary>
-## Do not audit attempts to read or -## Do not audit attempts to read or
-## write nagios unnamed pipes. -## write nagios unnamed pipes.
+## Execute the nagios unconfined plugins with
+## a domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nagios_domtrans_unconfined_plugins',`
+ gen_require(`
+ type nagios_unconfined_plugin_t;
+ type nagios_unconfined_plugin_exec_t;
+ ')
+
+ domtrans_pattern($1, nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write nagios +## Do not audit attempts to read or write nagios
+## unnamed pipes. +## unnamed pipes.
## </summary> ## </summary>
@ -54292,7 +54431,7 @@ index 0641e97..ed3394e 100644
# #
interface(`nagios_dontaudit_rw_pipes',` interface(`nagios_dontaudit_rw_pipes',`
gen_require(` gen_require(`
@@ -59,7 +53,8 @@ interface(`nagios_dontaudit_rw_pipes',` @@ -59,7 +73,8 @@ interface(`nagios_dontaudit_rw_pipes',`
######################################## ########################################
## <summary> ## <summary>
@ -54302,7 +54441,7 @@ index 0641e97..ed3394e 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -73,15 +68,33 @@ interface(`nagios_read_config',` @@ -73,15 +88,33 @@ interface(`nagios_read_config',`
type nagios_etc_t; type nagios_etc_t;
') ')
@ -54339,7 +54478,7 @@ index 0641e97..ed3394e 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -100,8 +113,7 @@ interface(`nagios_read_log',` @@ -100,8 +133,7 @@ interface(`nagios_read_log',`
######################################## ########################################
## <summary> ## <summary>
@ -54349,18 +54488,17 @@ index 0641e97..ed3394e 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -132,13 +144,33 @@ interface(`nagios_search_spool',` @@ -132,13 +164,33 @@ interface(`nagios_search_spool',`
type nagios_spool_t; type nagios_spool_t;
') ')
- files_search_spool($1) - files_search_spool($1)
allow $1 nagios_spool_t:dir search_dir_perms; allow $1 nagios_spool_t:dir search_dir_perms;
+ files_search_spool($1) + files_search_spool($1)
') +')
+
######################################## +########################################
## <summary> +## <summary>
-## Read nagios temporary files.
+## Append nagios spool files. +## Append nagios spool files.
+## </summary> +## </summary>
+## <param name="domain"> +## <param name="domain">
@ -54376,16 +54514,17 @@ index 0641e97..ed3394e 100644
+ +
+ allow $1 nagios_spool_t:file append_file_perms; + allow $1 nagios_spool_t:file append_file_perms;
+ files_search_spool($1) + files_search_spool($1)
+') ')
+
+######################################## ########################################
+## <summary> ## <summary>
-## Read nagios temporary files.
+## Allow the specified domain to read +## Allow the specified domain to read
+## nagios temporary files. +## nagios temporary files.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -151,13 +183,34 @@ interface(`nagios_read_tmp_files',` @@ -151,13 +203,34 @@ interface(`nagios_read_tmp_files',`
type nagios_tmp_t; type nagios_tmp_t;
') ')
@ -54422,7 +54561,7 @@ index 0641e97..ed3394e 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -170,14 +223,13 @@ interface(`nagios_domtrans_nrpe',` @@ -170,14 +243,13 @@ interface(`nagios_domtrans_nrpe',`
type nrpe_t, nrpe_exec_t; type nrpe_t, nrpe_exec_t;
') ')
@ -54439,7 +54578,7 @@ index 0641e97..ed3394e 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -186,44 +238,43 @@ interface(`nagios_domtrans_nrpe',` @@ -186,44 +258,43 @@ interface(`nagios_domtrans_nrpe',`
## </param> ## </param>
## <param name="role"> ## <param name="role">
## <summary> ## <summary>
@ -64947,10 +65086,10 @@ index 0000000..80246e6
+ +
diff --git a/pcp.te b/pcp.te diff --git a/pcp.te b/pcp.te
new file mode 100644 new file mode 100644
index 0000000..7a3dc05 index 0000000..15702ce
--- /dev/null --- /dev/null
+++ b/pcp.te +++ b/pcp.te
@@ -0,0 +1,240 @@ @@ -0,0 +1,241 @@
+policy_module(pcp, 1.0.0) +policy_module(pcp, 1.0.0)
+ +
+######################################## +########################################
@ -65000,6 +65139,7 @@ index 0000000..7a3dc05
+allow pcp_domain self:tcp_socket create_stream_socket_perms; +allow pcp_domain self:tcp_socket create_stream_socket_perms;
+allow pcp_domain self:udp_socket create_socket_perms; +allow pcp_domain self:udp_socket create_socket_perms;
+allow pcp_domain self:netlink_route_socket create_socket_perms; +allow pcp_domain self:netlink_route_socket create_socket_perms;
+allow pcp_domain self:unix_stream_socket connectto;
+ +
+corenet_tcp_connect_all_ephemeral_ports(pcp_domain) +corenet_tcp_connect_all_ephemeral_ports(pcp_domain)
+ +

26
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.13.1 Version: 3.13.1
Release: 134%{?dist} Release: 135%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -602,6 +602,30 @@ SELinux Reference policy mls base module.
%endif %endif
%changelog %changelog
* Thu Jul 09 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-135
- Update mta_filetrans_named_content() interface to cover more db files.
- Revert "Remove ftpd_use_passive_mode boolean. It does not make sense due to ephemeral port handling."
- Allow pcp domains to connect to own process using unix_stream_socket.
- Typo in abrt.te
- Allow abrt-upload-watch service to dbus chat with ABRT daemon and fsetid capability to allow run reporter-upload correctly.
- Add nagios_domtrans_unconfined_plugins() interface.
- Add nagios_domtrans_unconfined_plugins() interface.
- Add new boolean - httpd_run_ipa to allow httpd process to run IPA helper and dbus chat with oddjob.
- Add support for oddjob based helper in FreeIPA. BZ(1238165)
- Allow dnssec_trigger_t create dnssec_trigger_tmp_t files in /var/tmp/ BZ(1240840)
- Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. BZ(1224879)
- Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission.
- Add cron_system_cronjob_use_shares boolean to allow system cronjob to be executed from shares - NFS, CIFS, FUSE. It requires "entrypoint" permissios on nfs_t, cifs_t and fusefs_t SELinux types.
- nrpe needs kill capability to make gluster moniterd nodes working.
- Revert "Dontaudit ctbd_t sending signull to smbd_t."
- Fix interface corenet_tcp_connect_postgresql_port_port(prosody_t)
- Allow prosody connect to postgresql port.
- Fix logging_syslogd_run_nagios_plugins calling in logging.te
- Add logging_syslogd_run_nagios_plugins boolean for rsyslog to allow transition to nagios unconfined plugins.
- Add support for oddjob based helper in FreeIPA. BZ(1238165)
- Add new interfaces
- Add fs_fusefs_entry_type() interface.
* Thu Jul 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-134 * Thu Jul 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-134
- Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. BZ(1224879) - Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. BZ(1224879)
- Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission. - Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission.